From owner-freebsd-questions Mon Apr 9 19:31:27 2001 Delivered-To: freebsd-questions@freebsd.org Received: from todd-server.doonga.net (h0000e85749b9.ne.mediaone.net [66.31.205.167]) by hub.freebsd.org (Postfix) with ESMTP id 3E46237B422 for ; Mon, 9 Apr 2001 19:31:22 -0700 (PDT) (envelope-from todd@doonga.net) Received: from toddpc (todd-pc.doonga.net [192.168.0.248]) by todd-server.doonga.net (8.11.3/8.11.3) with SMTP id f3A2WBL11444 for ; Mon, 9 Apr 2001 22:32:12 -0400 (EDT) (envelope-from todd@doonga.net) From: "Todd Punderson" To: Subject: RE: How to specify external network for firewall/NAT when IP is dynamically assigned Date: Mon, 9 Apr 2001 22:31:52 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <15058.28495.979447.568693@guru.mired.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ok, dumb question. If I have 2 NICs, does "me" know to use the dynamic address? I have my private range, and my DHCP'ed IP from the cable co. Thanks. Todd -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer Sent: Monday, April 09, 2001 10:26 PM To: Lowell Gilbert; michael@tenzo.com Cc: questions@FreeBSD.ORG Subject: Re: How to specify external network for firewall/NAT when IP is dynamically assigned Lowell Gilbert types: > michael@tenzo.com (Michael O'Henly) writes: > > I'm attempting to set up a simple firewall for my home network. I have a > > FreeBSD box with two NICs, one connected to the internet via cable modem and > > the other to an internal network on which there are two Macs. My external IP > > is assigned by DHCP. I'm not running any services that I want accessible to > > external users, or any from which I'd want to block internal users. > > > > I've read a lot of docs over the last few days on how to do this and I think > > I have the basics straight -- but for this question: > > > > In /etc/rc.firewall (simple section), I'm asked to identify my networks. > > Since my IP is dynamically assigned, how do I specify my outside network > > interface? Here's the format (replacing 1.2.3.444/24 with actual values)... > Assuming that you only *have* one external IP address (and, thus, are > doing NAT), there isn't really much in there that needs to specify your > IP address anyway. Most of the references to the IP address are only > there to specify that incoming connections are okay to the firewall > machine, but not to other machines on the inside; this check is useless > if the internal addresses aren't visible on the outside anyway. Exactly. If you check rc.firewall, there are two references to "onet". The one that defines it, and one that disables packets claiming to be from the outside world coming in on your internal interface. > Somewhat recently, FreeBSD has added a "me" option to ipfw's syntax for > specifying addresses, and you can use this to refer to your address > without needing to rebuild those rules if that address changes. > However, as I said earlier, this is of somewhat limited usefulness if > you've only got one address anyway. "me" doesn't really help in this case. It matches the ip addresses for the system, not the network address range that's being used here. Another recent addition is "not". If all traffic coming from inside should be from ${inet}:${imask}, you can do the spoof block using not and your internal network address like so: ${fwcmd} add deny all from not ${inet}:${imask} to any in via ${iif} This is a bit broader block than the one in rc.firewall, and it may not be appropriate in all cases. If you're managing a network large enough for it not to be appropriate - well, you probbly wouldn't be asking the questions you're asking. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message